✦ Security & compliance

No formal SOC2 yet.
Plenty in the box anyway.

We’re a young product, so we don’t carry SOC2 or ISO 27001 yet. Here’s what we DO have today, in plain language — the kind of detail you’d find in a real auditor checklist, not a marketing badge.

🔑

Auth hardened from day one

JWT in HttpOnly + sameSite=lax cookies
bcrypt password hashing (cost 12)
Account lockout after 5 failed attempts
Email OTP for verification + password reset

🏢

Multi-tenant isolation

Per-organization member list with roles
Receipt queries scoped to caller’s orgs
Reports + CSV export respect membership
Cross-tenant access returns 403, never silently

📜

Append-only audit log

Every state transition logged with actor + IP + UA
Login, password reset, role change, export — all recorded
Approved receipts immutable; rejection history preserved
Atomic findOneAndUpdate prevents double-processing

🧪

Defensive on the edges

Magic-byte attachment validation (rejects spoofed MIME)
Search regex capped at 200 chars (no ReDoS)
Rate-limited login / signup / OTP endpoints
Same-origin enforcement on state-changing API calls

🇮🇳

Built for Indian compliance

GSTIN, PAN, CIN per organization
INR with proper Indian number grouping
Receipts retain registration / contact details for audits
Data hosted in MongoDB Atlas with daily backups

🛂

Restricted privileged access

Admin accounts can only be seeded via server script
No UI path promotes a user to ADMIN — even by an admin
Public signup is locked to MAKER and CHECKER roles
Last active admin cannot be demoted (lockout protection)

Got security questions?

Mail us. Real human, usually replies same day.

Talk to us Privacy policy

✦ Security & compliance

No formal SOC2 yet.
Plenty in the box anyway.

🔑

Auth hardened from day one

JWT in HttpOnly + sameSite=lax cookies
bcrypt password hashing (cost 12)
Account lockout after 5 failed attempts
Email OTP for verification + password reset

🏢

Multi-tenant isolation

Per-organization member list with roles
Receipt queries scoped to caller’s orgs
Reports + CSV export respect membership
Cross-tenant access returns 403, never silently

📜

Append-only audit log

Every state transition logged with actor + IP + UA
Login, password reset, role change, export — all recorded
Approved receipts immutable; rejection history preserved
Atomic findOneAndUpdate prevents double-processing

🧪

Defensive on the edges

Magic-byte attachment validation (rejects spoofed MIME)
Search regex capped at 200 chars (no ReDoS)
Rate-limited login / signup / OTP endpoints
Same-origin enforcement on state-changing API calls

🇮🇳

Built for Indian compliance

GSTIN, PAN, CIN per organization
INR with proper Indian number grouping
Receipts retain registration / contact details for audits
Data hosted in MongoDB Atlas with daily backups

🛂

Restricted privileged access

Admin accounts can only be seeded via server script
No UI path promotes a user to ADMIN — even by an admin
Public signup is locked to MAKER and CHECKER roles
Last active admin cannot be demoted (lockout protection)

Got security questions?

Mail us. Real human, usually replies same day.

Talk to us Privacy policy

No formal SOC2 yet.Plenty in the box anyway.

Auth hardened from day one

Multi-tenant isolation

Append-only audit log

Defensive on the edges

Built for Indian compliance

Restricted privileged access

Got security questions?

No formal SOC2 yet.Plenty in the box anyway.

Auth hardened from day one

Multi-tenant isolation

Append-only audit log

Defensive on the edges

Built for Indian compliance

Restricted privileged access

Got security questions?

No formal SOC2 yet.
Plenty in the box anyway.

No formal SOC2 yet.
Plenty in the box anyway.